

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>OAuth2 Proxy &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/jquery.js"></script>
        <script src="../../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../../" id="documentation_options" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/doctools.js"></script>
        <script src="../../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../../genindex/" />
    <link rel="search" title="Search" href="../../../search/" />
    <link rel="next" title="Certificate Management" href="../../certmgr/" />
    <link rel="prev" title="Management Gateway" href="../mgmt-gateway/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../../">Cephadm</a></li>
          <li class="breadcrumb-item"><a href="../">Service Management</a></li>
      <li class="breadcrumb-item active">OAuth2 Proxy</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../../_sources/cephadm/services/oauth2-proxy.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../install/">安装 Ceph</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../">Cephadm</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../compatibility/">Compatibility and Stability</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../install/">部署个全新的 Ceph 集群</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../adoption/">现有集群切换到 cephadm</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../host-management/">Host Management</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../">Service Management</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../mon/">MON Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mgr/">MGR Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../osd/">OSD Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../rgw/">RGW Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mds/">MDS Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../nfs/">NFS Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../iscsi/">iSCSI Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../custom-container/">Custom Container Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../monitoring/">Monitoring Services</a></li>
<li class="toctree-l3"><a class="reference internal" href="../snmp-gateway/">SNMP Gateway Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../tracing/">如何追踪各服务</a></li>
<li class="toctree-l3"><a class="reference internal" href="../smb/">SMB Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mgmt-gateway/">Management Gateway</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">OAuth2 Proxy</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#deploying-oauth2-proxy">Deploying oauth2-proxy</a></li>
<li class="toctree-l4"><a class="reference internal" href="#benefits-of-the-oauth2-proxy-service">Benefits of the oauth2-proxy service</a></li>
<li class="toctree-l4"><a class="reference internal" href="#security-enhancements">Security enhancements</a></li>
<li class="toctree-l4"><a class="reference internal" href="#high-availability">High availability</a></li>
<li class="toctree-l4"><a class="reference internal" href="#accessing-services-with-oauth2-proxy">Accessing services with oauth2-proxy</a></li>
<li class="toctree-l4"><a class="reference internal" href="#service-specification">Service Specification</a></li>
<li class="toctree-l4"><a class="reference internal" href="#limitations">Limitations</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../#service-status">Service Status</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#daemon-status">Daemon Status</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#service-specification">Service Specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#daemon-placement">Daemon Placement</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#extra-container-arguments">Extra Container Arguments</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#extra-entrypoint-arguments">Extra Entrypoint Arguments</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#custom-config-files">Custom Config Files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#removing-a-service">Removing a Service</a></li>
<li class="toctree-l3"><a class="reference internal" href="../#disabling-automatic-deployment-of-daemons">Disabling automatic deployment of daemons</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../certmgr/">Certificate Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../upgrade/">升级 Ceph</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../operations/">Cephadm operations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../client-setup/">Client Setup</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../troubleshooting/">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../dev/cephadm/">Cephadm Feature Planning</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="oauth2-proxy">
<span id="deploy-cephadm-oauth2-proxy"></span><h1>OAuth2 Proxy<a class="headerlink" href="#oauth2-proxy" title="Permalink to this heading"></a></h1>
<section id="deploying-oauth2-proxy">
<h2>Deploying oauth2-proxy<a class="headerlink" href="#deploying-oauth2-proxy" title="Permalink to this heading"></a></h2>
<p>In Ceph releases starting from Squid, the <cite>oauth2-proxy</cite> service introduces an advanced method
for managing authentication and access control for Ceph applications. This service integrates
with external Identity Providers (IDPs) to provide secure, flexible authentication via the
OIDC (OpenID Connect) protocol. <cite>oauth2-proxy</cite> acts as an authentication gateway, ensuring that
access to Ceph applications including the Ceph Dashboard and monitoring stack is tightly controlled.</p>
<p>To deploy the <cite>oauth2-proxy</cite> service, use the following command:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><style type="text/css">
span.prompt1:before {
  content: "# ";
}
</style><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>apply<span class="w"> </span>oauth2-proxy<span class="w"> </span><span class="o">[</span>--placement<span class="w"> </span>...<span class="o">]</span><span class="w"> </span>...</span>
</pre></div></div><p>Once applied, <cite>cephadm</cite> will re-configure the necessary components to use <cite>oauth2-proxy</cite> for authentication,
thereby securing access to all Ceph applications. The service will handle login flows, redirect users
to the appropriate IDP for authentication, and manage session tokens to facilitate seamless user access.</p>
</section>
<section id="benefits-of-the-oauth2-proxy-service">
<h2>Benefits of the oauth2-proxy service<a class="headerlink" href="#benefits-of-the-oauth2-proxy-service" title="Permalink to this heading"></a></h2>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">Enhanced</span> <span class="pre">Security</span></code>: Provides robust authentication through integration with external IDPs using the OIDC protocol.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Seamless</span> <span class="pre">SSO</span></code>: Enables seamless single sign-on (SSO) across all Ceph applications, improving user access control.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Centralized</span> <span class="pre">Authentication</span></code>: Centralizes authentication management, reducing complexity and improving control over access.</p></li>
</ul>
</section>
<section id="security-enhancements">
<h2>Security enhancements<a class="headerlink" href="#security-enhancements" title="Permalink to this heading"></a></h2>
<p>The <cite>oauth2-proxy</cite> service ensures that all access to Ceph applications is authenticated, preventing unauthorized users from
accessing sensitive information. Since it makes use of the <cite>oauth2-proxy</cite> open source project, this service integrates
easily with a variety of <a class="reference external" href="https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/">external IDPs</a> to provide
a secure and flexible authentication mechanism.</p>
</section>
<section id="high-availability">
<h2>High availability<a class="headerlink" href="#high-availability" title="Permalink to this heading"></a></h2>
<p>In general, <cite>oauth2-proxy</cite> is used in conjunction with the <cite>mgmt-gateway</cite>. The <cite>oauth2-proxy</cite> service can be deployed as multiple
stateless instances, with the <cite>mgmt-gateway</cite> (nginx reverse-proxy) handling load balancing across these instances using a round-robin strategy.
Since oauth2-proxy integrates with an external identity provider (IDP), ensuring high availability for login is managed externally
and not the responsibility of this service.</p>
</section>
<section id="accessing-services-with-oauth2-proxy">
<h2>Accessing services with oauth2-proxy<a class="headerlink" href="#accessing-services-with-oauth2-proxy" title="Permalink to this heading"></a></h2>
<p>After deploying <cite>oauth2-proxy</cite>, access to Ceph applications will require authentication through the configured IDP. Users will
be redirected to the IDP for login and then returned to the requested application. This setup ensures secure access and integrates
seamlessly with the Ceph management stack.</p>
</section>
<section id="service-specification">
<h2>Service Specification<a class="headerlink" href="#service-specification" title="Permalink to this heading"></a></h2>
<p>Before deploying <cite>oauth2-proxy</cite> service please remember to deploy the <cite>mgmt-gateway</cite> service by turning on the <cite>--enable_auth</cite> flag. i.e:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>apply<span class="w"> </span>mgmt-gateway<span class="w"> </span>--enable_auth<span class="o">=</span><span class="nb">true</span></span>
</pre></div></div><p>An <cite>oauth2-proxy</cite> service can be applied using a specification. An example in YAML follows:</p>
<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="nt">service_type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">oauth2-proxy</span>
<span class="nt">service_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">auth-proxy</span>
<span class="nt">placement</span><span class="p">:</span>
<span class="w">  </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mgmt</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="nt">https_address</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;0.0.0.0:4180&quot;</span>
<span class="w"> </span><span class="nt">provider_display_name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;My</span><span class="nv"> </span><span class="s">OIDC</span><span class="nv"> </span><span class="s">Provider&quot;</span>
<span class="w"> </span><span class="nt">client_id</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;your-client-id&quot;</span>
<span class="w"> </span><span class="nt">oidc_issuer_url</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;http://192.168.100.1:5556/dex&quot;</span>
<span class="w"> </span><span class="nt">client_secret</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;your-client-secret&quot;</span>
<span class="w"> </span><span class="nt">cookie_secret</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;your-cookie-secret&quot;</span>
<span class="w"> </span><span class="nt">ssl_certificate</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
<span class="w">   </span><span class="no">-----BEGIN CERTIFICATE-----</span>
<span class="w">   </span><span class="no">MIIDtTCCAp2gAwIBAgIYMC4xNzc1NDQxNjEzMzc2MjMyXzxvQ7EcMA0GCSqGSIb3</span>
<span class="w">   </span><span class="no">DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T</span>
<span class="w">   </span><span class="no">[...]</span>
<span class="w">   </span><span class="no">-----END CERTIFICATE-----</span>
<span class="nt">ssl_certificate_key</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
<span class="w">   </span><span class="no">-----BEGIN PRIVATE KEY-----</span>
<span class="w">   </span><span class="no">MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5jdYbjtNTAKW4</span>
<span class="w">   </span><span class="no">/CwQr/7wOiLGzVxChn3mmCIF3DwbL/qvTFTX2d8bDf6LjGwLYloXHscRfxszX/4h</span>
<span class="w">   </span><span class="no">[...]</span>
<span class="w">   </span><span class="no">-----END PRIVATE KEY-----</span>
</pre></div>
</div>
<p>Fields specific to the <code class="docutils literal notranslate"><span class="pre">spec</span></code> section of the <cite>oauth2-proxy</cite> service are described below. More detailed
description of the fields can be found on <a class="reference external" href="https://oauth2-proxy.github.io/oauth2-proxy/">oauth2-proxy</a>
project documentation.</p>
<dl class="py class">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec">
<em class="property"><span class="pre">class</span><span class="w"> </span></em><span class="sig-prename descclassname"><span class="pre">ceph.deployment.service_spec.</span></span><span class="sig-name descname"><span class="pre">OAuth2ProxySpec</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">service_type</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">'oauth2-proxy'</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">service_id</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">config</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">networks</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">placement</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">https_address</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">provider_display_name</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">client_id</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">client_secret</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">oidc_issuer_url</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">redirect_url</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">cookie_secret</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">ssl_certificate</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">ssl_certificate_key</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">allowlist_domains</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">unmanaged</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">False</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">extra_container_args</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">extra_entrypoint_args</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">custom_configs</span></span><span class="o"><span class="pre">=</span></span><span class="default_value"><span class="pre">None</span></span></em><span class="sig-paren">)</span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec" title="Permalink to this definition"></a></dt>
<dd><dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.client_id">
<span class="sig-name descname"><span class="pre">client_id</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.client_id" title="Permalink to this definition"></a></dt>
<dd><p>The client ID for authenticating with the identity provider.</p>
</dd></dl>

<dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.client_secret">
<span class="sig-name descname"><span class="pre">client_secret</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.client_secret" title="Permalink to this definition"></a></dt>
<dd><p>The client secret for authenticating with the identity provider.</p>
</dd></dl>

<dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.https_address">
<span class="sig-name descname"><span class="pre">https_address</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.https_address" title="Permalink to this definition"></a></dt>
<dd><p>The address for HTTPS connections, formatted as ‘host:port’.</p>
</dd></dl>

<dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.oidc_issuer_url">
<span class="sig-name descname"><span class="pre">oidc_issuer_url</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.oidc_issuer_url" title="Permalink to this definition"></a></dt>
<dd><p>The URL of the OpenID Connect (OIDC) issuer.</p>
</dd></dl>

<dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.provider_display_name">
<span class="sig-name descname"><span class="pre">provider_display_name</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.provider_display_name" title="Permalink to this definition"></a></dt>
<dd><p>The display name for the identity provider (IDP) in the UI.</p>
</dd></dl>

<dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.ssl_certificate">
<span class="sig-name descname"><span class="pre">ssl_certificate</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.ssl_certificate" title="Permalink to this definition"></a></dt>
<dd><p>The multi-line SSL certificate for encrypting communications.</p>
</dd></dl>

<dl class="py attribute">
<dt class="sig sig-object py" id="ceph.deployment.service_spec.OAuth2ProxySpec.ssl_certificate_key">
<span class="sig-name descname"><span class="pre">ssl_certificate_key</span></span><a class="headerlink" href="#ceph.deployment.service_spec.OAuth2ProxySpec.ssl_certificate_key" title="Permalink to this definition"></a></dt>
<dd><p>The multi-line SSL certificate private key for decrypting communications.</p>
</dd></dl>

</dd></dl>

<p>The specification can then be applied by running the below command. Once becomes available, cephadm will automatically redeploy
the <cite>mgmt-gateway</cite> service while adapting its configuration to redirect the authentication to the newly deployed <cite>oauth2-service</cite>.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>apply<span class="w"> </span>-i<span class="w"> </span>oauth2-proxy.yaml</span>
</pre></div></div></section>
<section id="limitations">
<h2>Limitations<a class="headerlink" href="#limitations" title="Permalink to this heading"></a></h2>
<p>A non-exhaustive list of important limitations for the <cite>oauth2-proxy</cite> service follows:</p>
<ul class="simple">
<li><p>High-availability configurations for <cite>oauth2-proxy</cite> itself are not supported.</p></li>
<li><p>Proper configuration of the IDP and OAuth2 parameters is crucial to avoid authentication failures. Misconfigurations can lead to access issues.</p></li>
</ul>
<section id="container-images">
<h3>Container images<a class="headerlink" href="#container-images" title="Permalink to this heading"></a></h3>
<p>The container image the <cite>oauth2-proxy</cite> service will use can be found by running:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">config</span> <span class="n">get</span> <span class="n">mgr</span> <span class="n">mgr</span><span class="o">/</span><span class="n">cephadm</span><span class="o">/</span><span class="n">container_image_oauth2_proxy</span>
</pre></div>
</div>
<p>Admins can specify a custom image to be used by changing the <cite>container_image_oauth2_proxy</cite> cephadm module option.
If there were already running daemon(s), you must also redeploy the daemon(s) for them to use the new image.</p>
<p>For example:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>ceph<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>mgr<span class="w"> </span>mgr/cephadm/container_image_oauth2_proxy<span class="w"> </span>&lt;new-oauth2-proxy-image&gt;
ceph<span class="w"> </span>orch<span class="w"> </span>redeploy<span class="w"> </span>oauth2-proxy
</pre></div>
</div>
</section>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../mgmt-gateway/" class="btn btn-neutral float-left" title="Management Gateway" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../../certmgr/" class="btn btn-neutral float-right" title="Certificate Management" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>